CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-36422 – GHSL-2023-245: Flowise xss in api/v1/chatflows/id
https://notcve.org/view.php?id=CVE-2024-36422
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. • https://github.com/FlowiseAI/Flowise/blob/flowise-ui%401.4.0/packages/server/src/index.ts#L312-L312 https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-36421 – GHSL-2023-234: Flowise Cors Misconfiguration in packages/server/src/index.ts
https://notcve.org/view.php?id=CVE-2024-36421
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. • https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L122 https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise • CWE-346: Origin Validation Error •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-36420 – GHSL-2023-232: Flowise Path Injection at /api/v1/openai-assistants-file
https://notcve.org/view.php?id=CVE-2024-36420
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available. Flowise es una interfaz de usuario de arrastrar y soltar para crear un flujo de modelo de lenguaje grande personalizado. En la versión 1.4.3 de Flowise, el endpoint `/api/v1/openai-assistants-file` en `index.ts` es vulnerable a la lectura arbitraria de archivos debido a la falta de sanitización del parámetro del cuerpo `fileName`. • https://github.com/FlowiseAI/Flowise/blob/e93ce07851cdc0fcde12374f301b8070f2043687/packages/server/src/index.ts#L982 https://securitylab.github.com/advisories/GHSL-2023-232_GHSL-2023-234_Flowise • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •